Saturday, October 25, 2014

Managing Risk

Risk Appetite is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
Residual Risk: is the amount of risk that remains after the organization has implemented policy, education and training, and technical controls and safeguards.

Feasibility

Feasibilities are economic and noneconomic consequences of an exploitation of the vulnerability. Organizational, Operational, Technical and Political are the non-economic feasibilities; Cost-Benefit is an economic feasibility.

Cost-Benefit Analysis:

.  When there are several ways to determine the value of information assets to protect.  One of the techniques is dollar denominated expenses and savings from economic cost avoidance.
Cost: Identifying the cost of the information is difficult, so it is basically calculated based on the cost associated with development of software or acquisition of a vendor product to protect the information system, training cost for the employees to manage/use the vendor product, associated cost for the infrastructure, associated cost with upgrade or maintenance, and associated cost with labor for implementation or maintenance.
Benefit: The value of an organization that get after implementing the controls to prevent losses associated with vulnerability for an asset.
Asset Valuation: Process of assigning financial value or worth to each information asset that is associated with an organization. Asset valuation involves the estimation of real or perceived costs. Cost will be calculated from all the assets that is being used for design, development, install, implementation, maintenance, protection, recovery. Also includes the cost physical assets such as hardware.
Cost-Benefit Analysis is analyzed by calculating Single Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO), and Annualized Loss Expectancy (ALE).
ARO Indicates that occurrence of an attack, ALE indicates that loss for an asset for each attack.
ALE=SLE *ARO
CBA =ALE (Pre-Control) – ALE (Post Control)
Difference between Pre SLE and Post SLE is identified as Benefit in Cost-Benefit Analysis Process.

Organizational Feasibility: Analysis examines how well the proposed Information Security alternatives will contributes the efficiency, effectives and operations of an Organization. Provides if the implementation align well with the strategic planning for the information systems, or is it deviating from strategic plan.
Operational Feasibility:  Also called as Behavioral feasibility. It refers to user acceptance, management acceptance, the compatibility and support with the requirements of organization stake holders.
Technical Feasibility: Implementation of technological controls is complex, It is necessary to identify the compatibility for the technology with organization policy and strategy.
Political Feasibility: Analysis considers what can and cannot happened based on the consensus and relationships among the interest of communities.

Reference: Management of Information Security by Whitman and Mattord


Posted by at No comments:

Friday, October 17, 2014

Risk Assessment

Risk assessment is the process of evaluating the risk associated with vulnerability.  Risk assessment assigns a risk rating to (or score) each vulnerability.
Risk assessment rating is calculated based on likelihood, impact of the vulnerability, existing controls to protect the asset and uncertainty of protection.
Likelihood: A numerical value on a defined scale of the probability that a specific vulnerability with be exploited.  Likelihood ratings are between 0.1 to 1 (NIST Special Publication 800-30). 0.1 is low and 1 is very high. Likelihood values are assigned based on experience and reviewing the existing sources and external sources.
Assessing Potential Loss (Score/Impact): Weighted score will be assigned based on the information identified during the documentation of risk identification process. All assets which impacts business execution and stops the business process are score 100, assets which have the impact of very low impact and low critical will be assigned as 1 and all medium are assigned as 50 (NIST SP 800-30).
Percentage of Risk Mitigated by Current Controls: Calculated based on the controls that are employed against the threats and vulnerabilities.
Uncertainty: Calculates based on the how likely an attack against an asset or impact of successful attack would have impacted the organization business process.  And percentages are estimated by experience and review.
Risk Determination is based on the formula using Likelihood, Score, Existing controls and uncertainty
Risk Determination = (Score *Likelihood) – (% of Controls of Score) +Uncertainty percentage value of Score


Reference: Management of Information Security by Whitman and Mattord

Posted by at No comments:

Saturday, October 11, 2014

Risk Management Framework

Developed by NIST and DoD with six step process. Intent of this common framework is to improve Information security, strengthen risk management processes and encourage reciprocity among federal agencies.
Characteristics of RMF:
·         Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes.
·         Encourages the use of automation to provide senior leaders the necessary information to make cost effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions.
·         Integrates InfoSec into the enterprise architecture and system development life cycle provides emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems.
·         Links risk management processes at the information system level to risk management processes at the organization level through a risk executive.
·         Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems.

Risk Management Framework Steps:

1.       Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis
2.       Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.
3.       Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
4.       Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
5.       Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
6.       Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security stat of the system to designated organizational officials.




Source: Management of Information Security by Michael E Whitman and Herbert J. Mattord
Posted by at No comments:

Thursday, October 2, 2014

Information Security Roles, Learning Objectives

Implementing Security Education, Training, and Awareness

Security Education Training and Awareness (SETA) program begins after the information security program has been in place. Program offers 3 major benefits
·         Program improve employee benefits
·         Inform members of the organization about where to report violations of policy.
·         Enable the organization to hold employees accountable for their actions.
Employee accountability is necessary to ensure that the acts of an individual do not threaten the long-term viability of the entire organization.

Learning Objectives

Understanding of:

·         Access control systems and methodology
·         Applications and systems development
·         Business continuity planning
·         Cryptography
·         Law, Investigation, and ethics
·         Operations security
·         Physical security
·         Security architecture and models
·         Security management practices
·         Telecommunications, network and Internet Security.

Accomplishment In:

·         Firewalls
·         IDSs
·         Access Controls
·         Vulnerability assessment
·         Operating System Security
·         Cryptography

Mastery of:

·         Firewall ACLs
·         Firewall architecture
·         Firewall generations
·         Proxy services
·         DMZ configuration
·         VPN configuration

·         Remote firewall management.

Source: Management of Information Security by Michael E Whitman and Herbert J. Mattord


Posted by at No comments:
Subscribe to: Comments (Atom)